Mobile Useful
Collection of commands for when working with Android and iOS devices. Device must be Rooted/Jailbroken for almost all commands.
Both
Objection
Another post has been created that is entirely dedicated to using Objection with Android and iOS. That post can be found here.
Search Files for String
Print files that contain a certain strings when in device shell (adb shell). Good for searching for clear-text data stored by apps:
1
grep -ril '/PATH_TO_SEARCH' -e 'SEARCH_TERM`
Search for File Name
1
2
find SEARCH_DIR -name *.sqlite
find SEARCH_DIR -name *.sqlite 2>/dev/null
2>/dev/null
can be used to hide permission denied errors.
Extract App Files
Use the following command to archive an entire app folder so that it can be extracted and viewed on a computer more easily:
1
2
tar -cvzf OUTPUT_FILE FOLDER_TO_TAR
tar -cvzf /sdcard/files.tar /data/user/0/com.example.app/
Android
Android Debug Bridge (adb)
The target device will need to have USB (or wifi) debugging enabled
Description | Command |
---|---|
View Connected Devices | adb devices |
View Connected Devices (with Device Info) | adb devices -l |
Install Package (apk) | adb install local_path_to_apk |
Uninstall Package | adb shell pm uninstall com.example.TestApp |
Get Packages (All Packages) | adb shell pm list packages |
Get Packages (Full APK Path) | adb shell pm list packages -f |
Get Packages (3rd Party Only) | adb shell pm list packages -3 |
Get Packages (System Packages Only) | adb shell pm list packages -s |
Interactive Shell | adb shell |
Run Command without Interactive Shell | adb shell ls -la /sdcard/ |
Copy file TO Device | adb push local_path remote_path |
Copy file FROM Device | adb pull remote_path local_path |
View Logs | adb logcat |
Screenshot | adb shell screencap /sdcard/screenshot.png |
Screen Record | adb shell screenrecord /sdcard/record.mp4 |
Screen Record (with time limit) | adb shell screenrecord –time-limit time_in_seconds /sdcard/record.mp4 |
Enable/Disable Wifi | adb shell svc wifi enable/disable |
Simulate KeyPress (Home Button) | adb shell input keyevent KEYCODE_HOME |
Simulate KeyPress (0400) | adb shell input keyevent 7 11 7 7 |
Start Activity (Call a Number) | adb shell am start -a android.intent.action.DIAL -d tel:+61400000000 |
Start Activity (SMS Someone) | adb shell am start -a android.intent.action.SENDTO -d smsto:+61400000000 –es sms_body ‘Test SMS’ –ez exit_on_sent false |
local
refers to a location/file on the connected PC.remote
refers to a location/file on the connected Device (phone).- More
keyevent
codes can be found online in the Android Docs.
Wifi Passwords
NOTE: that this is a restricted folder, so the device will need to be Rooted.
- Go to the directory
/data/misc/wifi
. - Wifi configuration data should be in
WifiConfigStore.xml
orwpa_supplicant.conf
.
Network Interfaces
Description | Command |
---|---|
Show Network Interfaces | ip -f inet addr show |
Show Single Network Interface | ip -f inet addr show interface_name |
iOS
Binary Info
Display info about an installed binary on an iOS device. Requires iOS device to be jailbroken and the Radare2 tool to be installed. Radare can be installed through Cydia:
- Source = https://cydia.radare.org/
- Package = Radare
1
rabin2 -I /private/var/containers/Bundle/Application/INSERT_ID/APP_NAME/APP_BINARY
-I
Show binary info
Example with DuckDuckGo app:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rabin2 -I /private/var/containers/Bundle/Application/INSERT_ID/DuckDuckGo.app/DuckDuckGo
arch arm
baddr 0x100000000
binsz 2753920
bintype mach0
bits 64
canary true
class MACH064
crypto true
endian little
havecode true
intrp /usr/lib/dyld
laddr 0x0
lang swift
linenum false
lsyms false
machine all
maxopsz 4
minopsz 4
nx false
os darwin
pcalign 4
pic true
relocs false
sanitiz false
static false
stripped true
subsys darwin
va true
Screenshot Location
If you take a screenshot, the image will be stored in the following location:
/private/var/mobile/Media/DCIM/100APPLE/
NSAllowsArbitraryLoads
Search the app’s Info.plist
file for the NSAppTransportSecurity
key. Ensure the value for NSAllowsArbitraryLoads
key is set to false
unless there is a good reason not to.
Example:
1
2
3
4
5
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
NSURL Caching
NSURLRequests get cached in a file called cache.db
unless explicitly stated not to using the cachePolicy
parameter when creating a NSURLRequest object.